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(54) Title: HUB FOR SEGMENTED VIRTUAL LOCAL AREA NETWORK 
(57) Abstract 

A Bub (10) for a segmented virtual local area network with 
shared media access has at least one internal port (12) for receiving 
and transmitting digital data messages within the hub and may have at 
least one external port (18) for receiving and transmitting digital data 
messages external to the hub. The hub further includes a memory (42) 
for storing virtual local area network (VLAN) designations for internal 
and external ports, means (60) for associating VLAN designations with 
at least one internal port and storing such VLAN designations in the 
memory, and means (64) for associating the stored VLAN d e s ign ati o ns 
with messages transmitted from any of the ports to which the VLAN 
designation has been assigned. Additionally, the hub includes both 
means (66) for identifying VLAN designations associated with messages 
received by or within the hub and means (68) for transmitting to any 
of the internal ports only messages received within the hub and having 
associated with them a VLAN designation which matches the stored 
VLAN designation ft^ffigTw^ to the port. The hub may also have the 
ability to store media control (MAC) addresses associated with 

ports and only send a message to a port when the destination address 
of the message is known to be reachable through that port, 
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HUB FOR SEGMENTED VIRTUAL LOCAL AREA NETWORK 

Field of the Invention 

This invention relates generally to local area 
5 networks for digital data communication and, more 

particularly, to network hubs for local area networks 
with enhanced privacy and optimized use of network 
bandwidth. 

Background of th e Invention 

10 A local area network (LAN) for digital data 

communications typically includes a plurality of network 
hubs interconnected by a suitable backbone transmission 
network. Individual hubs in a LAN may include one or 
more internal ports to which end stations may be 

15 connected and one or more external ports for. transmitting 
messages from the hub to the backbone transmission 
network and for receiving messages for the hub from the 
backbone transmission network. In such a LAN, messages 
originating at an internal port of one hub, or at an end 

20 station connected to an internal port of such a hub, are 
commonly transmitted to every other hub and end station 
in the LAN, although typically they are addressed to only 
a single end station within the LAN* Message security 
depends upon limiting access by individual hubs and end 

25 stations to only those messages specifically addressed to 
them. Because all messages share the same transmission 
& media (including the backbone network) , both the number 
and the size of the messages carried by the LAN at any 
one time are limited by the available transmission 

30 bandwidth. If enhanced security and more efficient use 
of the available bandwidth are desired, it is generally 
necessary to rewire the LAN physically so that it 
includes only the smaller stab- set of hubs or end stations 
needed . 

35 In the past, separately wired LANs have often been 

interconnected by so-called bridging or routing functions 
allowing the transfer of messages from a port or end 
station of a hub in one LAN to a port or end station of a 
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hub in another LAN. Bridges, as a minimum, examine the 
addresses contained by a message to accomplish the 
desired transfers, whereas routers provide more 
functionality, commonly supplying such capabilities as 
5 protocol conversions and store and forward operation. 
Bridging and routing functions not only tend to be 
complex to implement but also can potentially detract 
from both message security and most efficient use of 
transmission bandwidth. 

10 A previous approach to enhancing message security 

and improving bandwidth efficiency in the context of 
interconnected data terminals avoided the shared 
transmission media of a hard wired LAN entirely and 
depended, instead, upon use of a switched 

15 telecommunications network as the sole interconnection 

medium. Such an approach is illustrated in U. S. Patent 
No. 4,823,338, which issued April 18, 1989, to Kenneth K. 
Chan et al. 

In the arrangement disclosed by the Chan et al. 
20 patent, a plurality of data terminals are interconnected 
by a switched telecommunications network and a central 
processor is used as a server to control all switched 
actions. More specifically, each data terminal requires 
a separate connection, known as an "umbilical 
25 connection", to the server and the server is connected to 
control the appropriate telecommunications network switch 
or switches. * 

The server in the arrangement disclosed in the Chan 
et al. patent also keeps track of both an address and a 
«LAN« designation of each data terminal and permits calls 
to be established through the switched network only to 
those data terminals which not only share a "LAN" 
designation with the originating data terminal but also 
have the destination addresses for which the messages are 
35 intended. For any given message, no switching connection 
is established to data terminals other than those to 
which the message is addressed and also bear the "LAN" 
designation of the originating terminal , thereby 
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providing a relatively high degree of message security. 
Also, because the message needed to traverse only that 
portion of the telecommunications network extending from 
the originating terminal to the terminating terminal, 
5 message bandwidth is constrained only by transmission 
bandwidth made available by the portion of the network 
actually used. The resulting arrangement is called a 
"virtual LAN" because there are no fixed interconnections 
between its member terminals. Instead, interconnections 

10 can be established or disestablished s dimply by messages 
sent to the central server to identify members of the 
"virtual LAN". 

Because the approach disclosed in the Chan et al . 
patent avoids use of shared transmission media and 

15 depends upon use of a switched telecommunications network 
as the sole interconnection between terminals, it is 
inapplicable to and will not work in the context of a 
conventional LAN. Moreover, the central processor used 
as a server not only imposes substantial overhead costs 

20 upon the system but also is vulnerable to failure in the 
sense that, when it fails, the whole "virtual LAN" fails. 
An important need for enhancing message security and 
improving bandwidth efficiency in more conventional LANs, 
dependent upon shared transmission media which may be 

25 hard wired, switched, or both, thus still remains. 
Summary of the Invention 

The present invention is a digital data 
communications network hub which makes possible 
establishment of a segmented virtual local area network 

30 (VLAN) within a larger LAN, relying upon shared 

transmission media to form a backbone network. Such a 
VLAN affords enhanced message security and more efficient 
use of backbone network transmission bandwidth. It does 
so, moreover, relatively simply and inexpensively and in 

35 a manner immune to centralized system failure. 

Instead of being dependent upon a switched 
telecommunications network and upon a centralized 
processor -server, the present invention is hub oriented 
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and software controlled in the sense that it readily 
permits one or more hubs in a shared transmission media 
access LAN to be associated with one another on demand to 
form one or more segmented VLANs within a larger LAN. 
5 Each VLAN so provided is made up only of those segments 
of the larger LAN that are specific unto itself. 
Bridging and routing functions are no longer needed to 
transfer a message from one LAN to another because VLANs 
may be configured or reconfigured at will within a single 

10 LAN or within a network comprising multiple LANs 

connected by backbone networks. The present invention 
has the advantage of still retaining the conventional LAN 
activities, working environment, and access for a LAN 
workgroup consisting of a number of end stations that are 

15 all located on the same internal port of a hub while at 

the same time providing the enhanced functionality of the 
VLAN concept in the larger context of the total network. 

From one aspect of the invention, a digital data 
communications network hub for use in a shared 

20 transmission media access LAN includes at least one 

internal port for receiving and transmitting messages 
within the hub. The hub may also include at least one 
external port for receiving and transmitting messages 
external to the hub. The hub further includes a memory 

25 for storing VLAN designations for at least some of the 
internal and external ports, means for assigning a VLAN 
designation to at least one of the internal ports and 
storing the assigned VLAN designation in the memory, and 
means for associating the stored VLAN designation with 

30 messages transmitted from any of the internal ports to 
which the stored VLAN designation has been assigned. 
Associating, in this sense, is intended to encompass 
adding the stored VLAN designation to messages 
originating at an internal port within the hub and 

35 transmitted out of the hub by way of an external port. 

Additionally, the hub includes both means for 
identifying VLAN designations associated with messages 
directed to any of the internal ports and means for 
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transmitting to any of the internal ports only messages 
received within the hub having an associated VLAN 
designation which matches the stored VLAN designation 
assigned to the port* Different internal ports may, if 
5 necessary, be assigned different VLAN designations 

simultaneously and any one of the internal ports may be 
assigned more than one VLAN designation. Both added 
security and enhanced bandwidth efficiency are obtained 
because a message is not transmitted to internal ports 

10 unless such ports bear the VLAN designation associated 

with the message. In other words, each message traverses 
only the segment or segments of a shared transmission 
medium which take it to internal ports which are part of 
the same VLAN as the port which originated the message 

15 and neither traverses nor needs to traverse any other 
segments. All functions may readily be software 
implemented in the interest of simplifying VLAN 
configuration and reconfiguration. 

From another aspect of the invention, the hub may 

20 include means for transmitting outside the hub through an 
external port only messages from internal ports having 
associated with them a VLAN designation matching a VLAN 
designation associated with that external port. 

From still another aspect of the invention, the 

25 digital data communication network hub's memory may also 
store addresses for end stations connected to any of the 
hub's internal ports and at least selected addresses for 
end stations connected to the hub through any of its 
external ports, A hub so equipped may include means for 

30 determining the address of each end station connected to 
any of its internal ports and storing the end station 
addresses in the memory. Likewise, means may be provided 
to ascertain the addresses of end stations that may be 
reached through specific external ports and storing those 

35 addresses in the memory as well. 

A hub, from another aspect of the invention, may 
also include means for identifying destination addresses 
carried by messages received within the hub and means for 
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transmitting to any of the internal ports only received 
messages which both have a VLAN designation which matches 
a stored VLAN designation assigned to that particular 
port and carry a destination address which matches the 
5 stored address of an end station connected to the same 
port. Message security and shared transmission media 
bandwidth efficiency are thus further enhanced. Once 
again, functions are preferably software implemented in 
order to simplify VLAN configuration and reconfiguration. 
10 From another aspect of the invention, the hub may 

include means for transmitting outside the hub from an 
external port messages having associated with them the 
assigned VLAN designation and originating from any of the 
internal ports only when the destination addresses of 
15 such transmitted messages do not match an address stored 
in memory of an internal port within the hub. 

From yet another aspect of the invention, the hub 
includes means for transmitting outside the hub from an 
external port messages having associated with them the 
assigned VLAN designation and originating from any of the 
internal ports only when such messages do not carry 
destination addresses matching either the stored address 
of an internal port within the hub or the stored address 
of an end station connected to an internal port within 
25 the hub or when such messages can be reached from another 
external port. 

From still another aspect of the invention, the hub 
includes means for transmitting outside the hub from an 
external port only messages carrying destination 
30 addresses which match addresses stored in its memory for 
end stations connected to the hub through such an 
external port or messages from internal ports whose VLAN 
designations match that of the external port. 

The invention may be more fully understood from the 
35 following detailed description of a specific embodiment, 
taken in the light of the accompanying drawing and the 
appended claims. 

Brief Description of the Drawing 
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FIG. 1 is a block diagram of a digital data 
communications hub in accordance with the invention 
having multiple end stations connected to each internal 
port; 

5 PIG. 2 is a block diagram of a flow processing 

element suitable for use in the hub illustrated in FIG. 
l; 

FIG. 3 is a block diagram showing several digital 
data communications hubs in accordance with the invention 

10 interconnected by a backbone transmission network; 

FIG. 4 illustrates the format of a typical digital 
data message carried by a LAN; 

FIG. 5 illustrates the format of a digital data 
message with a VLAN designation appended; 

15 FIG. 6 illustrates the format of a digital data 

message with a VLAN designation appended, encapsulated 
for transmission over a packet backbone network; and 
FIG. 7 illustrates the format of a digital data 
message with a VLAN designation appended, encapsulated 

20 for transmission over an asynchronous transfer method 
(ATM) backbone network. 
Detailed Description 

FIG. 1 shows a digital data communications network 
hub 10 in accordance with the invention having three 

25 internal ports 12, 14, and 16 and one external port 18. 
Although FIG. 1 shows this specific number of ports by 
way of illustration, such a hub may have one or more 
internal ports and zero, one, or more external ports. 

By way of illustration, each of internal ports 12, 

30 14, and 16 of hub 10 is shown with three end stations 
connected to it. End stations 20, 22, and 24 are 
connected to internal port 12, end stations 26, 28, and 
30 are connected to internal port 14, and end stations 
32, 34, and 36 are connected to internal port 16. In 

35 practice, hub 10 may have zero, one, or more end stations 
on each of its internal ports, depending upon specific 
communication needs. Specific protocols used for the 
internal port to end station couplings are not specified 
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because different internal ports on the same hub may use 
different technologies and protocols to make appropriate 
end station connections. 

Network hub 10 further includes a flow processing 
5 element (FPE) 40 and a local memory 42 for storing VLAN 
designations for internal ports 12, 14, and 16, media 
access control (MAC) addresses for end stations 20, 22, 
24, 26, 28, 30, 32, 34, and 36, MAC addresses, when 
desired, for end stations associated with other network 
10 hubs connected to hub 10 only through external port 18, 

and VLAN designations, when desired, for external port 18 
when such VIiAN designations apply to ports and end 
stations reachable through external port 18 . In 
addition, hub 10 includes a control path 44 between FPE 
15 40 and memory 42, a message path 46 between FPE 40 and 
internal port 12, a message path 48 between FPE 40 and 
internal port 14, a message path 50 between FPE 40 and 
internal port 16, and a message path 52 between FPE 40 
and external port 18. FPE 40 preferably takes the form 
20 of a software controlled central processing unit (CPU) , 
although hard wired logic circuitry may, of course, be 
used instead if the reconfiguration flexibility afforded 
by software is not desired or needed. 

It should be noted that MAC addresses are unique 
25 designations assigned during the manufacture of MAC 
semiconductor chips for subsequent identification 
purposes. By industry convention, no two MAC chips are 
ever assigned the same MAC address designation, even if 
made by different manufacturers. In hub 10, each of end 
JO stations 20, 22, 24, 26, 28, 30, 32, 34, and 36 is 

provided with a different MAC chip and thus receives its 
own distinctive and unique MAC address. End stations 
may, if desired, be provided with more than one MAC chip 
and, hence, more than one MAC address, but single 
* 5 addresses tend to be the norm. In addition, internal 

ports 12, 14, and 16 may be provided with MAC chips and 
thus individual MAC addresses of their own. 
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FIG. 2 is a symbolic block diagram of an 
illustrative example of FPE 40 in network hub 10, showing 
a control path 44 to memory 42 , a message path 46 to 
internal port 12, a message path 48 to internal port 14, 
5 message path 50 to internal port 16, and a message path 
52 to external port 52 (ports 12, 14, 16, and 18 are all 
shown in FIG. 1) . Included within FPE 40 are a number of 
specific functions which may be either hardware or 
software implemented. One function takes the form of 

10 control means (VLAN CTL) 60 for associating VLAN 

designations with any or all of internal ports 12, 14, 
and 16 and external port 18 and storing the assigned VLAN 
designations in memory 42. Another function takes the 
form of means (MAG ADDR) 62 for determining the MAC 

15 addresses of each of end stations 20, 22, 24 , 26, 28, 30, 
32, 34, and 36 (and the MAC addresses of each of internal 
ports 12, 14, and 16 if such MAC addresses exist) and 
storing those MAC addresses in memory 42. Means 62 may 
also include the ability to store in memory 42 MAC 

20 addresses of any of internal ports 12, 14, and 16 and MAC 
addresses of internal ports and/or end stations 
associated with other network hubs and connected to hub 
10 only through external port 18. Because means 62 lacks 
direct access to the latter remote internal ports and/or 

25 end stations and hence lacks the ability to determine 
their MAC addresses by itself, their identity may be 
supplied to FPE 40 by a human operator, by local 
software, by a remotely located control program, or by 
any combination of the three. 

30 Another function within FPE 40 takes the form of 

means (VIiAN MSSG) 64 for associating a stored VLAN 
designation with each message transmitted from any of 
internal ports 12, 14, and 16 to which that stored VLAN 
designation has been assigned. Such association also 

35 connotes adding stored VLAN designations to messages 

originating within hub 10 and transmitted outside of hub 
10 by way of external port 18. Still another function 
takes the form of means (VLAN IDENT) 66 for identifying 
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VLAN designations associated with messages received by 
FPE 40 within hub 10 from any of internal ports 12, 14, 
or 16 or from external port 18 or carried by messages 
received within hub 10 from external port 18. 
5 Still another function within FPE 40 takes the form 

of means (INT MSSG CTL) 68 for transmitting from FPE 40 
to any of internal ports 12, 14, or 16 only received 
messages (whether from external port 18 or from another 
of internal ports 12, 14, and 16) which have an 

10 associated VLAN designation which matches the stored VLAN 
designation assigned to the port and carry a destination 
address which matches the stored MAC address of an end 
station connected to that same port or the stored MAC 
address of that same port itself* 

15 Yet another function takes the form of means (EXT 

MSSG CTL) 70 for transmitting outside of hub 10 via 
external port 18 transmitted messages from any of 
internal ports 12, 14, and 16 associated with the 
assigned VLAN designation only when such transmitted 

20 messages are not addressed to either an internal port 

within hub 10 or an end station connected to an internal 
port within hub 10. Means 70 may, in addition, transmit 
outside of hub 10 via external port 18 only messages 
addressed to an end station or port outside of hub 10 

25 when the MAC address of such end station or port is 
stored in memory 42. 

FIG. 3 shows how a number of similar network hubs in 
accordance with the invention may be connected by a 
backbone network 76 to form a physically larger network 

30 than could be formed with a single hub. Backbone network 
76 is a shared transmission medium and may include direct 
wire or optical fiber connections, radio connections, 
switched network connections, or any combination of 
different types of connections. The important point is 

35 that at least selected portions of backbone network 76 

are shared by all messages transmitted contemporaneously 
from any of external ports 18, 118, and 218. 
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Three hubs 10, 110, and 210 are shown in FIG. 3. 
Hub 10 is identical to hub 10 in FIG. 1 and all 
components and connected end stations bear the same 
reference numerals as in FIG. 1. Hubs 110 and 210 are 
5 also identical to hub 10 and all components and connected 
end stations bear similar reference numerals in sequences 
beginning with 110 and 210, respectively . Specifically, 
hub 110 comprises internal ports 112, 114, and 116, an 
external port 118, a FPE 140, and a memory 142, while hub 
10 210 comprises internal ports 212, 214, and 216, an 
external port 218, a FPE 240, and a memory 242. 

End stations connected to internal ports 112, 114, 
and 116 of hub 110 are generally similar to those 
connected to corresponding internal ports of hub 10. 
15 Connected to internal port 114 of hub 110 are end 

stations 126, 128, and 130. Connected to internal port 
116 of hub 110 are end stations 132, 134, and 136. 

Hub 210 is similar and comprises internal ports 212, 
214, and 216, an external port 218, a FPE 240, and a 
20 memory 242. Connected to internal port 212 of hub 210 
are end stations 220, 222, and 224. Connected to 
internal port 214 of hub 210 are end stations 226, 228, 
and 230. Connected to internal port 216 of hub 210 are 
end stations 232, 234, and 236. Specific protocols used 
25 for backbone network 76 are not specified herein because 
different backbone links in the same network may in 
practice use different technologies and different 
protocols . 

FIG. 4 illustrates the general sequential format of 
30 a typical LAN message, which includes a start field 80, a 
destination address (DA) field 82, a source address (SA) 
field 84, a message content field 86, and an end field 
88. Each end station associated with network hub 10, for 
example, has a unique address determined by its own MAC 
35 address chip. When an end station originates a data 

message, its MAC address is inserted in the SA field B4 
of outgoing messages. Similarly, the MAC address of an 
end station for which the message is intended is inserted 
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in the DA field 82 of that same message* The MAC address 
in DA field 82 is used to match the MAC address of end 
stations in receiving hubs and end stations to determine 
the end station for which the message is intended. Such 
5 internal ports as internal ports 12, 14, and 16 may 
themselves also have MAC addresses (e.g., for 
administrative purposes independent of any connected end 
stations) . Each of such unique internal port MAC 
addresses would be inserted in the DA and SA fields 82 
10 and 84 instead of end station addresses, where 
applicable. 

The message format illustrated in FIG. 4 shows a 
digital data message created by, or intended for, any one 
of the end stations in FIG. 3. 

15 FIG. 5 shows the same message as FIG. 4 with a VLAN 

designation field 90 appended preparatory to 
encapsulating the message for transmission out of a hub 
through an external port over backbone network 90. 

FIGS. 6 and 7 show two different encapsulations of a 

20 message like that shown in FIG. 5 for transmission on 
backbone network 76, the first (FIG. 6) being for a 
packet backbone network and the second (FIG. 7) being for 
an Asynchronous Transfer Method (ATM) backbone network. 
In FIG. 6, the packet encapsulation includes an initial 

25 start and addressing field 92 for the backbone network 
and a final end field 94 for the backbone network. In 
FIG. 7, the ATM network encapsulation includes a 
plurality of fixed-length cells (only a single middle 
cell is shown between the first cell and the last) each 

30 having an initial ATM cell start (ACS) field 96 and a " 
final ATM cell end (ACE) field 98. In FIG. 7, the 
message content field 86 extends through all cells and a 
final fill pattern field 100 is used to provide any 
necessary padding in the last cell between end field 88 

35 and ACE cell 98. In FIG. 7, there may be any number of 
middle cells. 

An important objective of the VLAN mechanism 
provided by the present invention is to allow all parts 
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of the network, i.e., end stations and/or internal ports 
of hubs, having the same VLAN designation to interchange 
messages solely with one another. Message exchanges 
between parts of the network having different VLAN 
5 designations are specifically prevented. This 

arrangement, in effect, allows those stations having the 
same VLAN designation to function as if they were part of 
the same IAN (i.e., as members of a virtual LAN or VLAN) 
separate from all other stations having different VLAN 

10 designations (i.e., belonging to different virtual LANs 
or VLANs) . This is accomplished by associating a VLAN 
designation with each message, based upon the source of 
the message. A message may then only be delivered (1) to 
an end station that is connected to an internal port 

15 having a matching VLAN designation, (2) to an internal 
port that has a matching VLAN designation, or (3) to an 
external port connected to a hub having a port with a 
matching VLAN designation. The service thus provided is 
fully comparable to the services provided by a 

20 conventional LAN. 

In its simplest form, the VLAN mechanism afforded by 
the present invention assigns a VLAN designation to any 
of the internal ports of a hub (i.e., amy of internal 
ports 12, 14, and 16 of network hub 10 in FIG. 3, 

25 internal ports 112, 114, and 116 of network hub 110, and 
internal ports 212, 214, and 216 of hub 210) - There is 
no requirement that the VLAN designations assigned to 
different internal ports be different. In general, the 
VLAN mechanism depends on the fact that a multiplicity of 

30 internal ports, not necessarily on the same hub, have the 
same VLAN designation. 

The VLAN designation for each internal port is 
stored in the memory (MEM) portion of the hub (i.e., MEM 
42 for hub 10, MEM 142 for hub 110, and MEM 242 for hub 

35 220) . Every time a message is received by a hub on an 

internal port, the VLAN designation of that port is then 
associated with the message. Association is accomplished 
by the flow processing element (FPE) 40, 140, or 214, 



WO 95/01023 



14 



PCT/IB94/00185 



10 



which looks up the VLAN designation in the respective one 
of MEMs 42, 142, or 242, based on the number of the 
internal port where the message originated. This type of 
MEM operation can easily be performed by a content 
addressable memory (CAM) , although other memory 
mechanisms may be used instead . The MEM may also be used 
to identify the internal ports that have a VLAN 
designation which matches the VLAN designation associated 
with a message. 

When a message received from an internal port is to 
be transmitted from the same hub's external port, the 
appropriate VLAN designation is appended (see FIG. 5) by 
the flow processing element (FPE) , based on the internal 
P ort from which the message was received. The message is 
15 then encapsulated (see FIGS. 6 and 7) for transmission 
onto the backbone network 76 by the external port. A 
basic system in accordance with the invention also 
forwards the message to all other internal ports of the 
same hub that have a VLAN designation matching the VLAN 
20 designation of the internal port from which the message 
originated • 

When an encapsulated message is received at the 
external port of a hub (10, 110, or 210), the FPE (40, 
140, or 240) de- encapsulates it to recover the VLAN 
25 designation and the original message. A basic system in 
accordance with the invention then forwards the message 
to each of its internal ports that has a matching VLAN 
designation. 

To describe the message exchanges allowed, consider 
30 the following example, in which VLAN designations (not 

shown in the drawing) are underlined to distinguish them 
from reference numerals. In FIG 3, the VLAN designations 
associated with hub 10, internal ports 12, 14, and 16 may 
be 51 , 61, and 71, respectively. The VLAN designations 
35 associated with hub 110, internal ports 112, 114, and 116 
may be 61, 71, and 81, respectively. The VLAN 
designations associated with hub 210, internal ports 212, 
214, and 216 may be 71, 81, and 81, respectively. In 
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this example, no other internal ports have matching VLAN 
designations. This arrangement allows messages to be 
exchanged among the end stations connected to internal 
port 14 of hub 10 and internal port 112 of hub 110, It 
5 also allows messages to be exchanged among the end 
stations connected to internal port 16 of hub 10 , 
internal port 114 of hub 110, and internal port 212 of 
hub 210. Similarly, it allows messages to be exchanged 
between the end stations attached to internal port 116 of 

10 hub 110, internal port 214 of hub 210, and internal port 
216 of hub 210. If some other hub has an internal port 
with a VLAN designation of 51, end stations attached to 
it will be able to exchange messages with those attached 
to internal port 12 of hub 10* No other message 

15 exchanges are allowed to take place. 

The FPE 40 in combination with the MEM 42 may, in 
accordance with various aspects of the invention, also be 
used to provide a number of useful functions to enhance 
the operation of the VIjAN mechanism. Also stored in MEM 

20 42, and associated with each of the internal ports may be 
the unique MAC addresses of all of the end stations that 
are attached to each particular internal port. These are 
stored so that when the FPE 40 accesses MEM 42 using the 
unique MAC address, MEM 42 returns the number of the 

25 internal port and the VLAN designation associated with 
it. 

A further expansion of the capability of MEM 42 may, 
in accordance with other aspects of the invention, 
provide similar information for unique MAC addresses that 
30 belong to end stations attached to the internal ports of 
other hubs reachable through external port 18. This 
allows FPE 40 to choose between alternative external 
ports, or among paths that are provided by any individual 
external port. 

35 In operation, when a message is received from an 

internal port, the FPE 40 accesses the MEM 42 in order 
to associate a VLAN designation with the message based on 
the internal port from whence it came, and in addition. 
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by using the unique MAC address in the DA field 82 of the 
message, learns if the end station with the unique 
address matching that DA is located on one of the 
internal ports of the hub, and if so, which internal port 
and the VLAN designation of that internal port. Possible 
results include the following: 

1. The end station with that DA is located on the 
internal port from whence the message originated. In 
this instance, no further action need be taken by the FPE 
as the message should already have been received by the 
proper end station. 

2. The end station with that DA is located on one 
of the other internal ports on the same hub and the VLAN 
designation associated with the message by the FPE 

15 matches that of the internal port on which that end 

station is located. In this instance, the FPE forwards 
the message to the appropriate internal port. It is not 
necessary to append the VLAN designation to the message 
as internal association with the hub is sufficient. If 
20 the VLAN designation associated with the message does not 
match that of the internal port on which the end station 
with the DA is located, then the FPE discards the 
message . 

3 . The end station with that DA is not located on 
25 one of the other internal ports on the same hub. In this 

instance, the message with the VLAN designation appended 
is encapsulated in the appropriate format by the FPE 40 
and forwarded to the external port for transmission on 
the backbone network. 

30 In the event (not shown) that there is more than one 

external port in a network hub, the appropriately 
encapsulated message may be forwarded to all of such 
external ports for transmission on multiple backbone 
networks, or in still more sophisticated systems, the FPE 

35 (40, 140, or 240) in conjunction with the MEM (42, 142, 
or 242) may be used to establish on which of the 
available backbone networks the encapsulated message 
should be forwarded, based on either the VLAN designation 
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associated with the message, the value of the DA field 
contained in the message, or both. 

When an encapsulated message is received from the 
backbone by the hub at its external port, the 
5 encapsulated message is de- encapsulated to obtain the 

VLAN designation and the original message content* The 
FPE (40, 140, or 240) then accesses the MEM (42, 142, or 
242) to determine the appropriate action based on the 
VLAN designation and the unique address in the DA field 

10 82 of the message. If the end station with that DA is 
found to be on one of the internal ports of the hub and 
the VLAN designation associated with the message matches 
that of the internal port on which that end station is 
located, then the FPE (40, 140, or 240) forwards the 

15 message to that internal port. Otherwise, the FPE (40, 
140, or 240) discards the message. 

Note that the procedures describe above may be used 
to ensure that a message is only forwarded to the 
specific segment of the network where the end station 

20 with the unique address matching the DA is located. This 
offers a number of features, including the following: 

1. The bandwidth capacity of a particular backbone 
network segment or of a particular internal port is only 
used for the transmission of messages that are indeed 

25 intended for an end station that can be reached by that 
backbone network segment or internal port. 

2 . A security feature is provided in that messages 
are never transmitted over a backbone network segment 
when the end station to which it is addressed is local to 

30 the hub, never forwarded to an internal port that does 
not have a VLAN designation that matches the VLAN 
designation that is associated with the message, and 
never forwarded to an internal port that does not have 
the end station with the unique address that matches the 

35 DA. 

The former feature avoids wasting the available 
bandwidth, while the latter enhances the value of the 
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VIjAN principle by adding security equivalent to that 
offered by a conventional LAN. 

A number of enhancements of the VLAN mechanism may 
be used to provide additional capabilities. One 
5 enhancement may also associate a VLAN designation, or 
series of VLAN designations, with an external port. A 
message originating from one of the end stations on one 
of the internal ports is only forwarded to an external 
port for transmission over the backbone network by the 
10 FPE 40 when the VLAN designation associated with the 

message matched a VLAN designation associated with the 
external port. This feature of the VLAN may be used to 
limit and control traffic on the backbone transmission 
network. 

15 Another enhancement is provided by allowing an 

internal port to have multiple VLAN designations assigned 
to it* Thus, a message originating from one of the end 
stations attached to that internal port may have more 
that one VLAN designation associated with it by the FPE. 

20 In this instance, all of the operations described 

elsewhere herein are the same as they have already been 
described' except that the VLAN designation associated 
with the message is interpreted as a series of VLAN 
designations and a match is achieved when any one of the 

25 VLAN designations match. With this enhancement, the VLAN 
designation as shown appended to the message for 
transmission on the backbone network (see FIG. 5) is 
actually a series of VLAN designations. In simple 
operation, the message is forwarded to all internal ports 

30 that have a VLAN designation that matches one of the VLAN 
designations associated with the message. In enhanced 
operation, the message is forwarded to the specific 
internal port that has the end station with the unique 
address that matches the DA of the message when one of 

35 that internal port's VLAN designations matches one of the 
VLAN designations associated with the message. 

Examples of the message exchanges allowed using the 
preceding enhancement include the following: In FIG. 3, 
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the VLAN designations associated with internal port 12 of 
hub 10 may be 51, 61 and 71/ the VLAN designations 
associated with internal port 112 of hub 110 may be 61 
and J31, while the VLAN designations associated with 
5 internal port 212 of hub 210 may be 71 and 81. . End 
stations connected to these three internal ports, 
internal port 12 of hub 10, internal port 112 of hub 110, 
and internal port 212 of hub 210, are all able to 
exchange messages with one another* If some other 

10 internal port has a VLAN designation of 51, end stations 
connected to it may exchange messages with those 
connected to internal port 12 of hub 10, If some other 
internal port has a VLAN designation of j61, end stations 
connected to it may exchange messages with those 

15 connected to internal port 12 of hub 10 and internal port 
112 of hub 110. If some other internal port has a VLAN 
designation of 71, end stations connected to it may 
exchange messages with those connected to internal port 
112 of hub 110 and internal port 212 of hub 210. 

20 If some other internal port has a VLAN designation 

of 81, end stations connected to it may exchange messages 
with those connected to internal port 112 of hub 110 and 
internal port 212 of hub 210. Finally, if some other 
internal port has only a VLAN designation of 91, end 

25 stations connected to it will not be able to exchange 
messages with those connected to any of internal ports 
12, 112, or 212. 

Another enhancement is provided by allowing each of 
the ports themselves to have a separate VLAN designation 

30 that is different from the VLAN designation that becomes 
associated with messages that originate from the end 
stations connected to the internal port. This 
enhancement requires that an internal port signal the FPE 
(40, 140, or 240) along with each message to 

35 differentiate between messages that originate in the 

internal port and messages that originate in one of the 
connected end stations. This enhancement does not have 
any effect on exchanges of messages between end stations 
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connected to these internal ports. Instead, it provides 
a VLAN designation that may be uniquely associated with 
all management information either directed at the ports 
or exchanged between internal ports. This VLAN 
designation may have special rules of use and may be 
associated with messages from end stations that have a 
special management status. 
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What is claimed is: 

1. A digital data communications network hub (10) 
for controlling the transmission of messages to internal 
and external ports and to any end stations connected to 

5 the internal and external ports, where only the external 
ports are connectible to hubs other than the hub, 
characterized by the combination of: 

n internal ports (12, 14, 16) for receiving and 
transmitting messages within the hub, where n is an 
10 integer greater than zero; 

m external ports (18) for receiving and 
transmitting messages external to the hub, where m is an 
integer greater than zero; 

memory means (42) for storing virtual local 
15 area network (VliAN) designations for at least some of the 
internal ports and for storing media access control (MAC) 
addresses of the internal ports; 

means (60) for assigning a VLAN designation to 
at least one of the internal ports and storing the 
20 assigned VLAN designation in the memory means; 

means (64) for associating the stored VLAN 
designation with messages transmitted from any of the 
internal ports to which the stored VliAN designation has 
been assigned; 

25 means (66) for identifying VLAN designations 

associated with messages received by amy of the ports; 
and 

means (68) for transmitting to any of the 
internal ports only messages received within the hub 
30 which have an associated VLAN designation which matches 
the stored VLAN designation assigned to those particular 
ports . 

2 . The network hub of claim 1 further 
characterized by the combination of: 

35 means (60) for storing in the memory means VLAN 

designations for at least some of the external ports; and 

means (70) for transmitting outside of the hub 
from any of the external ports only messages having 
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associated with them VLAN designations which match a VLAN 
designation stored in the memory means and associated 
with such external ports. 

3 . The network hub of claim 1 further 
5 characterized by: 

means (62) for determining the MAC address of 
each end station connected to any of the internal ports 
and storing the MAC addresses thus obtained in the memory 
means; and in which: 
10 the memory means also stores MAC addresses for 

end stations including end stations connected to any of 
the internal ports; 

the means for identifying VLAN designations 
also identifies destination addresses carried by messages 
15 received within the hub; 

and the means for transmitting transmits to any 
of the internal ports only received messages which have 
an associated VLAN designation which matches the stored 
VLAN designation assigned to that particular port and 
20 carry a destination address which matches the stored MAC 
address of one of the end stations connected to the same 
port . 

4. The network hub of claim 3 in which at least 
one of the internal ports is assigned at least a first 

25 VIiAN designation for messages addressed to end stations 
to which it is connected and at least a second VLAN 
designation for messages addressed to it rather than to 
end stations to which it is connected . 

5- The network hub of claim 3 further 

30 characterized by: 

means (70) for transmitting outside the hub 
from the external ports messages which have associated 
with them the assigned VLAN designation and which 
originate from any of the internal ports only when such 

35 transmitted messages are addressed to neither an internal 
port within the hub nor an end station connected to an 
internal port within the hub. 
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6. The network hub of claim 3 further 
characterized by the combination of: 

means (60) for storing in the memory means VLAN 
designations for at least some of the external ports; and 
5 means (70) for transmitting outside of the hub 

from any of the external ports only messages having 
associated with them VLAN designations which match a VLAN 
designation stored in the memory means and associated 
with such external ports, 
10 7. The network hub of claim 3 further 

characterized by the combination of: 

means (62) for storing in the memory means MAC 
addresses for at least some of any end stations connected 
to the hub only through the external ports and VLAN 
15 designations for at least some of the external ports; and 

means (70) for transmitting outside the hub 
from any of the external ports messages originating from 
any of the internal ports only to an end station whose 
MAC address is stored in the memory means or, if the 
20 addressed end station's MAC address is not stored in the 
memory means, then only through an external port having a 
VLAN designation matching the VLAN designation of the 
internal port at which the messages originate* 
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